fix(template): restore CA trust signals and automate changelog sync

[JSONbored]

Summary

Fixes the CA trust-signal gaps for sure-aio by correcting template metadata, improving Unraid-facing install guidance, and automating template changelog updates from the canonical project changelog.

What changed

• fix CA category tokens in sure-aio.xml to valid values (Productivity Tools-Utilities)
• add and maintain a proper <Changes> block in sure-aio.xml
• improve template Overview content for Unraid UX:
  • clearer beginner quick-start flow
  • explicit SECRET_KEY_BASE generation instructions
  • concise power-user guidance
• add scripts/update-template-changes.py to sync XML <Changes> from latest CHANGELOG.md release section
• wire release automation to run changelog->template sync during:
  • Release / Sure-AIO action=prepare
  • Release / Sure-AIO action=full
• extend CI validation to compile-check the new sync script
• add optional Docker Hub publish path in CI (when DOCKERHUB_USERNAME + DOCKERHUB_TOKEN are configured) so CA can resolve Last Update metadata more reliably

Why

• CA was showing weak trust signals for sure-aio:
  • Last Update: Unknown
  • missing/insufficient changelog presentation
  • prior category formatting issues
• template changelog content was previously manual and drift-prone
• release flow needed deterministic, repeatable propagation of changelog metadata into the Unraid template

Validation

• python3 scripts/validate-template.py
• PYTHONPYCACHEPREFIX=/tmp/sure-aio-pyc python3 -m py_compile scripts/release.py scripts/validate-template.py scripts/check-upstream.py scripts/update-template-changes.py
• local run of:
  • python3 scripts/update-template-changes.py "$(python3 scripts/release.py latest-changelog-version)"

Notes

• Last Update in CA depends on CA registry metadata behavior and feed refresh timing; this PR adds the required workflow support but display timing remains CA-refresh dependent.
• Ensure Docker Hub repo/secrets are configured to activate dual-publish behavior.